On 26.03.2016 00:56, Alexey Khoroshilov wrote:
> On 26.03.2016 01:03, Vladimir Zapolskiy wrote:
>> On 25.03.2016 22:23, Alexey Khoroshilov wrote:
>>> Fixing checks for dma mapping error in qset_fill_page_list(),
>>> I have missed two similar problems in qset_add_urb_sg() and
>>> in qset_add_urb_sg_linearize().
>>>
>>> Found by Linux Driver Verification project (linuxtesting.org).
>>>
>>> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
>>> ---
>>> drivers/usb/host/whci/qset.c | 6 +++++-
>>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
>>> index 1a8e960d073b..a8e9b618e643 100644
>>> --- a/drivers/usb/host/whci/qset.c
>>> +++ b/drivers/usb/host/whci/qset.c
>>> @@ -535,9 +535,11 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
>>> list_for_each_entry(std, &qset->stds, list_node) {
>>> if (std->ntds_remaining == -1) {
>>> pl_len = std->num_pointers * sizeof(struct whc_page_list_entry);
>>> - std->ntds_remaining = ntds--;
>>> std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt,
>>> pl_len, DMA_TO_DEVICE);
>>> + if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr))
>>> + return -EFAULT;
>>
>> Resources are leaked on error path:
>> * std->pl_virt -- most probably, at least it is freed on error path above,
>> * dma mappings done in a loop before met error,
>>
>
> As far as I can see, it is not the case.
> If qset_add_urb_sg() returns error code, the caller (qset_add_urb())
> invokes qset_free_stds() that performs all resource deallocations.
Ok, but qset_free_std() lacks dma_mapping_error() check for mappings,
will it try to unmap a nonexistent/invalid mapping?
> As for the error path above, I consider it as a typical krealloc()
> pattern, since it does not frees memory allocated at previous iterations
> of the cycle.
>
The dynamically (re-)allocated memory is freed by qset_free_std(),
that said kfree() and pointer assignment to NULL in qset_add_urb_sg()
error path may be removed IMHO.
--
With best wishes,
Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
